hashivault_db_secret_engine_role – Hashicorp Vault database secret engine role

New in version 3.17.8.

Synopsis

  • Module to define a database role that vault can generate dynamic credentials for vault

Requirements

The below requirements are needed on the host that executes this module.

  • hvac>=0.10.1

  • ansible>=2.0.0

  • requests

Parameters

Parameter Choices/Defaults Comments
authtype
-
    Choices:
  • token
  • userpass
  • github
  • ldap
  • approle
Default:
"token or environment variable `VAULT_AUTHTYPE`"
authentication type
aws_header
-
Default:
"to environment variable `VAULT_AWS_HEADER`"
X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
ca_cert
-
Default:
"to environment variable `VAULT_CACERT`"
Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
ca_path
-
Default:
"to environment variable `VAULT_CAPATH`"
Path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate. If ca_cert is specified, its value will take precedence
client_cert
-
Default:
"to environment variable `VAULT_CLIENT_CERT`"
Path to a PEM-encoded client certificate for TLS authentication to the Vault server
client_key
-
Default:
"to environment variable `VAULT_CLIENT_KEY`"
Path to an unencrypted PEM-encoded private key matching the client certificate
creation_statements
-
Specifies the database statements executed to create and configure a user. make sure your account for variables like this {{'{{name}}'}}
db_name
-
name of the db configuration youre referencing. in my opinion, this should be called 'db connection' but hashi calls it db_name
login_mount_point
-
Default:
"value of authtype or environment varialbe `VAULT_LOGIN_MOUNT_POINT`"
authentication mount point
mount_point
-
Default:
"database"
name of the secret engine mount name.
name
-
name of the role in vault
namespace
-
Default:
"to environment variable VAULT_NAMESPACE"
namespace for vault
password
-
Default:
"to environment variable `VAULT_PASSWORD`"
password to login to vault.
renew_statements
-
Specifies the database statements to be executed to renew a user. Not every plugin type will support this functionality. See the plugin's API page for more information on support and formatting for this parameter.
revocation_statements
-
Specifies the database statements to be executed to revoke a user. See the plugin's API page for more information on support and formatting for this parameter.
role_file
-
file with a json object containing play parameters. pass all params but name, state, mount_point which stay in the ansible play
rollback_statements
-
Specifies the database statements to be executed rollback a create operation in the event of an error. Not every plugin type will support this functionality. See the plugin's API page for more information on support and formatting for this parameter.
state
-
Default:
"present"
{'state of the object. choices': 'present, absent'}
token
-
Default:
"to environment variable `VAULT_TOKEN`"
token for vault
token_max_ttl
-
The maximum allowed lifetime of tokens issued in seconds using this role.
token_ttl
-
The TTL period of tokens issued using this role in seconds.
url
-
Default:
"to environment variable `VAULT_ADDR`"
url for vault
username
-
Default:
"to environment variable `VAULT_USER`"
username to login to vault.
verify
-
Default:
"to environment variable `VAULT_SKIP_VERIFY`"
If set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing

Examples

---
- hosts: localhost
  tasks:
      hashivault_db_secret_engine_role:
        name: tester
        db_name: test
        creation_statements: []


    - hashivault_db_secret_engine_role:
        name: tester
        role_file: "/Users/dmullen/git/namespaces/test-args/azure/args-db-role-file.json"
        state: "present"

Status

Authors

  • UNKNOWN

Hint

If you notice any issues in this documentation, you can edit this document to improve it.